Referring to bug #28953 the problem has not been solved.
No status in response body for 401. Example project: https://github.com/BATON35/spring-boot-custom-error-handling.git
Response from postman for springBoot 2.6.2:
Response from postman for springBoot 2.5.x
Comment From: wilkinsona
@BATON35 The repository to which you've linked doesn't appear to reproduce the problem you've described. For example, as far as I can tell, it doesn't use Spring Security. Can you please clarify?
Comment From: BATON35
@wilkinsona I am sorry. I forgot to update the repository. Now you can reproduce the problem.
Comment From: philwebb
I'm unable to replicate the problem with the sample. If I change the parent POM to <version>2.6.2</version> and remove the version number from spring-boot-starter-security I get the following:
. ____ _ __ _ _
/\\ / ___'_ __ _ _(_)_ __ __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
\\/ ___)| |_)| | | | | || (_| | ) ) ) )
' |____| .__|_| |_|_| |_\__, | / / / /
=========|_|==============|___/=/_/_/_/
:: Spring Boot :: (v2.6.2)
...
$ curl http://localhost:8086/demo-controller/test1
<!doctype html><html lang="en"><head><title>HTTP Status 401 – Unauthorized</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 401 – Unauthorized</h1></body></html>
@BATON35 Can you please update your sample to use Spring Boot 2.6.2 and provide detailed instructions on how we can replicate the problem.
Comment From: lgraf
@philwebb @wilkinsona I see the same behaviour in our application for HTTP 401/403 errors, even if i add permitAll() to /error in my security configuration.
I put a small example together where the problem can be reproduced: https://github.com/lgraf/error-page-example
The example contains two tests that call a secured rest endpoint and can be used to reproduce the issue.
-
Call the endpoint without authentication (
401case) -
Call the endpoint with an authenticated user without the required permission/role (
403case)
The security configuration contains an explicit permitAll() to /error.
The tests fail with spring-boot 2.6, when i change the spring-boot version back to 2.5 the test cases pass.
Additional observations
As noted in a comment of #28953.
The ErrorPageSecurityFilter use HttpServletRequest.getRequestURI() as uri parameter for the WebInvocationPrivilegeEvaluator.isAllowed(uri, authentication) method, which contains the context path. The JavaDoc notes that the context-path should be excluded in the uri parameter
Not sure if it the root cause of the issue, but if i remove the context-path configuration for the application, the test passes also with spring-boot 2.6.2 (there is a commented-out property configuration to remove the context-path configuration in the test class).
Comment From: datagitlies
This issue is still not fully resolved. The good new is that 3460c24 makes adding .antMatchers("/error").permitAll() work (which is an improvement), but the issue remains if an application uses .antMatchers("/error").authenticated() see my comment in #28953
Why is the authentication in the isAllowed(..) method returning an instance of AnonymousAuthenticationToken when the user is authenticated? It's like the authentication from the SecurityContextHolder is being wiped out somehow before reaching this method or it's not using the same security context as the original request. Any thoughts?
Comment From: wilkinsona
@datagitlies Sorry that you're still having problems here. It's hard to say what's happening without seeing a complete example of the problem that you're facing. There are some forthcoming changes in Spring Security that may help here. I tried to describe them in this issue comment. I can't be certain that they'll help as I don't feel that I fully understand your problem. Perhaps you can try the Spring Security snapshot and, if that doesn't help, create a new issue with a minimal sample that reproduces your problem.
Comment From: datagitlies
Thanks @wilkinsona - I tried using spring-security 5.6.2-SNAPSHOT but it was the same result for .antMatchers("/error").authenticated() (i.e. no response body for an authenticated user) ... I'll see if I can get a minimal sample project that reproduces my problem. If I get there, I'll just open a new issue with those details.
Comment From: mbhave
@datagitlies My guess is that you're using a STATELESS session policy either by setting it explicitly or via a @Transient authentication. In that case, the Authentication is not available in the SecurityContextHolder once the error dispatch happens. A new issue issue with a sample that reproduces the issue would be great.
Comment From: datagitlies
@mbhave see #29655 which is exactly what you stated above. Is STATELESS no longer supported for this scenario?
Comment From: Akshay45xo
@BATON35 hey how to remove the path from that exception message.